oauthex: tighten MatchesResource doc + drop whitespace tolerance

Review feedback from a re-read of RFC 9728 / RFC 3986:

- RFC 9728 §3.3 normatively cites RFC 3986 §6.2.1 "simple string
  comparison" (byte-equal), not the trailing-slash form. The spec
  basis for slash tolerance is RFC 3986 §6.2.3 (scheme-based
  normalization), which lists empty-path → "/" among the normalizations
  permitted *but not required*. Reframe the doc accordingly so reviewers
  don't have to re-derive the citation.

- Drop strings.TrimSpace. No RFC permits whitespace around a JWT aud
  URI; tolerating it silently accepts a malformed claim instead of
  surfacing it. If a real IdP ever emits whitespace, that's a bug in
  the IdP, not something a generic helper should paper over.

- Document the §6.2.3 features deliberately NOT applied (host case
  fold, default-port elision) so callers know two distinct registered
  resources cannot collide via these normalizations. Added negative
  tests pinning each boundary.

- Point byte-equal-strict callers at the direct == comparison so they
  know they don't need a separate helper.

Behavior change: claims with surrounding whitespace now return false
(previously returned true). The only realistic caller — token
validation — already gets malformed-aud rejection elsewhere via
jose/oidc parsers, so this surfaces upstream bugs rather than hiding
them.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: BorisTyshkevich

oauthex/audience.go

@@ -6,27 +6,37 @@ package oauthex
 
 import "strings"
 
-// MatchesResource reports whether any of `claims` matches `resource` under
-// the canonical-form (trailing slash) tolerance required by RFC 9728
-// (Protected Resource Metadata) and RFC 8707 (Resource Indicators). Both
-// canonical and non-trailing-slash forms compare equal.
+// MatchesResource reports whether any of claims matches resource under
+// RFC 3986 §6.2.3 scheme-based normalization, narrowed to the empty-path
+// case: a URI with an empty path is treated as equivalent to one with a
+// path of "/". All other URI components (scheme, host case, port, query,
+// fragment) must match exactly — this is intentionally narrower than the
+// full §6.2.3 rung, which would also fold scheme/host case and default
+// ports.
 //
-// Background: RFC 9728 §3.3 canonicalises the protected-resource identifier
-// with a trailing slash, but RFC 8707 resource indicators sometimes omit it,
-// and upstream IdPs vary in which form they emit in `aud` claims (Google
-// trims, Auth0 retains, claude.ai round-trips whichever it received). Strict
-// byte equality therefore fails routinely on legitimate setups. This helper
-// matches both forms while preserving exact-equality semantics — leading
-// whitespace, schemes, paths must still match.
+// RFC 9728 §3.3 normatively requires "simple string comparison" per
+// RFC 3986 §6.2.1 (byte-equal). Callers that need strict byte-equal
+// semantics should compare claims to resource directly:
+//
+//	for _, c := range claims { if c == resource { return true } }
+//
+// Background: RFC 9728 §3.3 canonicalises the protected-resource
+// identifier with a trailing slash, but RFC 8707 resource indicators
+// sometimes omit it, and upstream IdPs vary in which form they emit in
+// `aud` claims (Google trims, Auth0 retains, claude.ai round-trips
+// whichever it received). Strict byte equality therefore fails routinely
+// on legitimate setups; this helper is the most common pragmatic relaxation
+// while keeping path/scheme/host strict so token confusion across distinct
+// resources still fails closed.
 //
 // Returns false when claims is empty.
 func MatchesResource(claims []string, resource string) bool {
-	expected := strings.TrimRight(strings.TrimSpace(resource), "/")
+	expected := strings.TrimRight(resource, "/")
 	for _, c := range claims {
 		if c == resource {
 			return true
 		}
-		if strings.TrimRight(strings.TrimSpace(c), "/") == expected {
+		if strings.TrimRight(c, "/") == expected {
 			return true
 		}
 	}

oauthex/audience_test.go

@@ -31,12 +31,6 @@ func TestMatchesResource(t *testing.T) {
 			resource: "https://mcp.example.com/",
 			want:     true,
 		},
-		{
-			name:     "claim with surrounding whitespace",
-			claims:   []string{"  https://mcp.example.com/  "},
-			resource: "https://mcp.example.com",
-			want:     true,
-		},
 		{
 			name:     "multiple claims, one matches",
 			claims:   []string{"https://other.example.com/", "https://mcp.example.com"},
@@ -67,6 +61,34 @@ func TestMatchesResource(t *testing.T) {
 			resource: "https://mcp.example.com/",
 			want:     false,
 		},
+		// The following document the intentional boundaries: §6.2.3 also
+		// permits scheme/host case folding and default-port elision, but
+		// MatchesResource deliberately does NOT, so two distinct
+		// registered resources cannot collide via these normalizations.
+		{
+			name:     "host case difference is not tolerated",
+			claims:   []string{"https://MCP.example.com/"},
+			resource: "https://mcp.example.com/",
+			want:     false,
+		},
+		{
+			name:     "default-port elision is not tolerated",
+			claims:   []string{"https://mcp.example.com:443/"},
+			resource: "https://mcp.example.com/",
+			want:     false,
+		},
+		{
+			name:     "query string difference is not tolerated",
+			claims:   []string{"https://mcp.example.com/?x=y"},
+			resource: "https://mcp.example.com/",
+			want:     false,
+		},
+		{
+			name:     "surrounding whitespace is not tolerated (malformed claim)",
+			claims:   []string{"  https://mcp.example.com/  "},
+			resource: "https://mcp.example.com/",
+			want:     false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {